ipfw and carp problems
Ian Smith
smithi at nimnet.asn.au
Wed Oct 29 09:55:22 UTC 2014
In freebsd-questions Digest, Vol 543, Issue 2, Message: 1
On Mon, 27 Oct 2014 15:16:33 +0100 Gerhard Schmidt <schmidt at ze.tum.de> wrote:
> Hi,
>
> I have a small problem with ipfw an carp.
>
> i have two server with two carp ips and a firewall via ipfw.
>
> the problem is tha ipfw via modul is default to deny. So when the carp
> interfaces are initialized ipfw has no custom rules. Everything is
> denied, even the carp packets. So every time I reboot one of the hosts
> it comes up as master and after the firewall rules are initialized one
> of the servers is demoted to backup, which one seams to be random.
>
> My problem is that my setup need a new server do come up as backup
> because is has to replicate the data from the running server before
> being able to act as master. There could be data loss if a newly booted
> server named master without prior replicating the data.
>
> Is there a way to ensure that the firewall rules are up before the carp
> interfaces are initialized or to load the ipfw module with default to
> accept.
The canonical way was to build a custom kernel with ipfw included as per
http://www.freebsd.org/doc/handbook/firewalls-ipfw.html including
'options IPFIREWALL_DEFAULT_TO_ACCEPT' .. however you can accomplish
this with a GENERIC (or other) kernel by adding to /boot/loader.conf:
ipfw_load="YES" # to load the ipfw module early
and adding to /etc/sysctl.conf
net.inet.ip.fw.enable=0
net.inet6.ip6.fw.enable=0 # if using ipv6
/etc/rc.d/sysctl is run early (on 9.3, first) before other rc.d
scripts including netif and later ipfw, which will then only enable the
firewall after having loaded your ruleset.
I just tested this over ssh to a 9.3 GENERIC box not running ipfw:
root at x200:~/bin # kldload ipfw && sysctl net.inet.ip.fw.enable=0 \
&& sysctl net.inet6.ip6.fw.enable=0
net.inet.ip.fw.enable: 1 -> 0
net.inet6.ip6.fw.enable: 1 -> 0
root at x200:~/bin # ipfw show
65535 0 0 deny ip from any to any
which would have locked me out had it not worked :)
Of course you must accept that there is a vulnerable window between
starting net interfaces (netif) and starting ipfw, however miniscule.
cheers, Ian
More information about the freebsd-questions
mailing list